Personal data protection -aaS
All organizations in the Russian Federation somehow process personal data, and therefore fall under the Federal Law No. 152. Currently, most of them have done nothing at all on the subject of personal data protection.
The rest to some extent resulted in the processing and protection of personal data in accordance with the requirements of the law. It would seem that this can declare the task of protecting personal data completed and rest quietly on its laurels, performing only routine operations within the framework of documented and established processes, but it was not there. There are a number of reasons that will require again and again returning to the issue of bringing the Federal Law No. 152 into compliance with the law.
Here are a number of them:
Another of the problems that some PD operators need to solve is the need to store personal data in the territory of the Russian Federation starting from September 1, 2015. Thus, Operators who previously stored data abroad, in order to ensure compliance with Federal Law No. 152, have to change the infrastructure and create their own data processing centers or contact Russian hosting providers.
Independent solution of such tasks in your own data center will require large labor and financial costs, and in addition, it may cause difficulties with scaling the solution. We began to think about how to implement a fairly simple idea, namely, to protect personal data “on top” of placing the information system in the cloud in such a way that, on the one hand, the client’s capital expenditures are reduced, that is, all payments are rented and the client’s involvement is minimized. in the process, to ideally "everything was self protected." We want to tell about the joint decision of the CloudCenter (cloud provider) and the Andek company (licensee) in the article. Maybe a similar approach will be of interest to other service providers.
Solving such a problem without managing the infrastructure is bad, because the solution will be based on the IaaS service of the cloud provider, implemented on the basis of the Microsoft Hyper-V virtualization system. Looking ahead a bit, we’ll tell you that within the framework of this decision the following functions will be assigned to the solution providers side:
And now we will try to tell about these functions in more detail.
First of all, you should decide on the need to use certified PD protection tools. On this subject many copies are broken, including on Habré. For example, an excellent and detailed article written by the user teecat “How to catch something that does not exist. Part Five: The myth of the need for certified software . Therefore, we propose to limit ourselves to specific theses regarding the use of certified GIS:
For example, a decision has been taken on the use of uncertified remedies.
Of course, even though such an approach is legitimate, it carries certain risks. This is due to the fact that regulators may have their own view of the law in general and the obligatory use of certified remedies in particular. Thus, when choosing this approach, PD operators should understand that it may be necessary to defend their point of view before regulators, including in court.
Part of the FSTEC requirements for the protection of personal data in this case, we will fulfill with the help of the built-in tools of the used software and hardware, for example:
However, additional overlay protection measures are needed, such as antiviruses, information protection tools during transmission over open communication channels, security analysis tools, etc.
You may have decided to hedge up and use certified DSS, regardless of whether the built-in security features or superimposed ones. In this case, the protective equipment must:
In order for our solution to be complete, the cloud provider must be ready to provide the imposed SZI to clients for rent, otherwise we will not be able to achieve a turnkey solution.
Now we will try to understand the distribution of responsibility in this scheme. Our cloud provider provides virtual infrastructure and communication channels and does not control what happens inside virtual machines. Thus, he is definitely not an operator of personal data, since he does not define the processing goals, the composition of personal data and the operations on them.
It turns out that the cloud provider is not responsible to the regulators for fulfilling the requirements of the legislation, but must fulfill those requirements that are imposed on it by an agreement with the operator. So what is to entrust to him?
The cloud provider cannot be responsible for what is inside the virtual machines, hence the access control systems and antiviruses (with the exception of solutions with an agentless antivirus, such as 5Nine), he cannot assume. But the imposed security features (firewalls, VPN gateways, etc.) and virtualization protection can only be managed by the cloud provider and no one else. The specified distribution of responsibilities must necessarily be included in the contract so that the client performs the required set of activities in the “amount” of the licensee and the cloud provider.
In the end, we figured out what remedies we use, what to write in the contract, can we stop at this?
If our client - the operator of personal data - is competent enough in matters of protection of personal data and has already dealt with them, then of course you can dwell on technical measures to protect, but where can we find such clients. When designing the service, we proceeded from the assumption that the operator cannot write the threat model or regulatory documents on PD processing. Consequently, our service should include the support of the operator in these matters, this task can be solved in different ways:
Designed service in one form or another solves all the listed issues.
In addition, the service should be modified following all changes in the legislation on the protection and processing of personal data.
Now, it seems that our task is solved, we have a solution to meet the requirements of the legislation, which requires a minimum of labor and financial investments from the client, while its compliance with the current legislation is a “headache” of the cloud provider, not the operator.
The rest to some extent resulted in the processing and protection of personal data in accordance with the requirements of the law. It would seem that this can declare the task of protecting personal data completed and rest quietly on its laurels, performing only routine operations within the framework of documented and established processes, but it was not there. There are a number of reasons that will require again and again returning to the issue of bringing the Federal Law No. 152 into compliance with the law.
Here are a number of them:
- Constantly new requirements of legislation in the field of personal data protection appear;
- The solutions and infrastructure used by companies for processing personal data are changing;
- New services and information systems that process PDs are being introduced.
Another of the problems that some PD operators need to solve is the need to store personal data in the territory of the Russian Federation starting from September 1, 2015. Thus, Operators who previously stored data abroad, in order to ensure compliance with Federal Law No. 152, have to change the infrastructure and create their own data processing centers or contact Russian hosting providers.
Independent solution of such tasks in your own data center will require large labor and financial costs, and in addition, it may cause difficulties with scaling the solution. We began to think about how to implement a fairly simple idea, namely, to protect personal data “on top” of placing the information system in the cloud in such a way that, on the one hand, the client’s capital expenditures are reduced, that is, all payments are rented and the client’s involvement is minimized. in the process, to ideally "everything was self protected." We want to tell about the joint decision of the CloudCenter (cloud provider) and the Andek company (licensee) in the article. Maybe a similar approach will be of interest to other service providers.
Solving such a problem without managing the infrastructure is bad, because the solution will be based on the IaaS service of the cloud provider, implemented on the basis of the Microsoft Hyper-V virtualization system. Looking ahead a bit, we’ll tell you that within the framework of this decision the following functions will be assigned to the solution providers side:
- Creating and maintaining up to date documents for the processing and protection of personal data;
- Inclusion of the licensee’s clients ’information systems into a protected circuit complying with the requirements of Federal Law No. 152;
- Provision and administration of virtual infrastructure, as well as security features;
- Tracking all changes in legislation on the protection of personal data and informing the licensee’s clients about them.
And now we will try to tell about these functions in more detail.
First of all, you should decide on the need to use certified PD protection tools. On this subject many copies are broken, including on Habré. For example, an excellent and detailed article written by the user teecat “How to catch something that does not exist. Part Five: The myth of the need for certified software . Therefore, we propose to limit ourselves to specific theses regarding the use of certified GIS:
- Directly FZ No. 152 indicates the use of information security tools that have passed the conformity assessment procedure in the prescribed manner only among other possible, but not mandatory, protection measures and does not establish specific requirements for the order of conformity assessment.
- Conformity assessment does not have to be in the form of certification.
- Regulators do not have the right to expand the requirements of the Law on Personal Data.
For example, a decision has been taken on the use of uncertified remedies.
Of course, even though such an approach is legitimate, it carries certain risks. This is due to the fact that regulators may have their own view of the law in general and the obligatory use of certified remedies in particular. Thus, when choosing this approach, PD operators should understand that it may be necessary to defend their point of view before regulators, including in court.
Part of the FSTEC requirements for the protection of personal data in this case, we will fulfill with the help of the built-in tools of the used software and hardware, for example:
- access control and event logging inside virtual machines can be implemented using operating system tools;
- access control and event registration within the virtualization environment are implemented using the Microsoft Hyper-V hypervisor;
- Traffic filtering inside the virtual infrastructure can be achieved using virtual firewalls, also implemented by means of the hypervisor.
However, additional overlay protection measures are needed, such as antiviruses, information protection tools during transmission over open communication channels, security analysis tools, etc.
You may have decided to hedge up and use certified DSS, regardless of whether the built-in security features or superimposed ones. In this case, the protective equipment must:
- Check at least at the 4th level of control over the absence of undeclared capabilities (applicable for the 1st and 2nd levels of security, as well as for the 3rd level of security if threats of the 2nd type are relevant);
- To be certified for a certain class of protection, which depends on the level of security and is established by the 21st Order of FSTEC.
In order for our solution to be complete, the cloud provider must be ready to provide the imposed SZI to clients for rent, otherwise we will not be able to achieve a turnkey solution.
Now we will try to understand the distribution of responsibility in this scheme. Our cloud provider provides virtual infrastructure and communication channels and does not control what happens inside virtual machines. Thus, he is definitely not an operator of personal data, since he does not define the processing goals, the composition of personal data and the operations on them.
It turns out that the cloud provider is not responsible to the regulators for fulfilling the requirements of the legislation, but must fulfill those requirements that are imposed on it by an agreement with the operator. So what is to entrust to him?
The cloud provider cannot be responsible for what is inside the virtual machines, hence the access control systems and antiviruses (with the exception of solutions with an agentless antivirus, such as 5Nine), he cannot assume. But the imposed security features (firewalls, VPN gateways, etc.) and virtualization protection can only be managed by the cloud provider and no one else. The specified distribution of responsibilities must necessarily be included in the contract so that the client performs the required set of activities in the “amount” of the licensee and the cloud provider.
In the end, we figured out what remedies we use, what to write in the contract, can we stop at this?
If our client - the operator of personal data - is competent enough in matters of protection of personal data and has already dealt with them, then of course you can dwell on technical measures to protect, but where can we find such clients. When designing the service, we proceeded from the assumption that the operator cannot write the threat model or regulatory documents on PD processing. Consequently, our service should include the support of the operator in these matters, this task can be solved in different ways:
- Develop and give the client document templates;
- As part of the connection, to make a project to bring the processing and protection of PD in compliance with the law;
- To provide consulting on PD issues during the term of the contract (including on the introduction of new systems and changes in the old ones);
- To assist the client in interacting with PD subjects and regulators.
Designed service in one form or another solves all the listed issues.
In addition, the service should be modified following all changes in the legislation on the protection and processing of personal data.
Now, it seems that our task is solved, we have a solution to meet the requirements of the legislation, which requires a minimum of labor and financial investments from the client, while its compliance with the current legislation is a “headache” of the cloud provider, not the operator.
')
Source: https://habr.com/ru/post/259891/
All Articles